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A Fixpoint Semantics of Event Systems with and without 

Fairness Assumptions 


Abstract 

We present a fixpoint semantics of event systems. The semantics is presented in a general 
framework without concerns of fairness. Soundness and completeness of rules for deriving 
leads-to properties are proved in this general framework. The general framework is instantiated 
to minimal progress and weak fairness assumptions and similar results are obtained. We show 
the power of these results by deriving sufficient conditions for leads-to under minimal progress 
proving soundness of proof obligations without reasoning over state-traces. 

Keywords 

Liveness properties, event systems, action systems, unity logic, fairness, weak fairness, min¬ 
imal progress, set transformer, fixpoints. 

Resume 

Dans ce rapport nous presentons une semantique de point fixe pour les systemes d’evenements. 
La semantique est presentee dans un cadre generate sans considerations d’equite. La coherence 
et la completude des regies pour deriver des proprietes leads-to est prouvee dans ce cadre 
general. Le cadre general est instancie avec des hypotheses de progres minimal et d’equite 
faible, et des resultats similaires sont prouves. Nous montrons la puissance de ces resultats 
par la derivation de conditions suffisantes pour des proprietes leads-to sous I’hypothese de 
progres minimal, et nous prouvons la coherence de ces regies sans raisonner sur les traces 
d’etats. 

Mots-cles 

Proprietes de vivacite, systeme d’evenements, systemes d’actions, logique unity, equite, 
equite faible, progres minimal, transformateurs d’ensembles, point fixes. 
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1 Introduction 


Action systems, or event systems, are useful abstractions to model discrete systems. Many 
formalisms have been proposed to model action systems. In these formalisms, the behavior of 
a system is described in terms of observations about its state, and they are known as state 
based formalisms. As examples of state based formalisms we can cite Back’s action system 
formalism [Hj and UNITY j^j. All of these formalisms have a common aspect: their semantics 
is founded on state-traces of transition systems. 

State traces of transitions systems impose an operational reasoning about the behavior of 
a system. However this operational behavior can be hidden by using temporal logic to specify 
safety and liveness properties. Semantics of temporal formulas is given by state-traces of 
transition systems. A proof system allows us to derive properties from other proved properties 
without an operational reasoning, only by symbolic calculations. Soundness and completeness 
of the logic are established by proofs relating logical formulas with assertions about state- 
traces. So at this point, we come back to operational reasoning about the transition systems. 

A more abstract possibility to define the semantics of action systems is to base it on 
fixpoints of set (or predicates) transformers. Inspired from and [SI, we characterize certain 
liveness properties as fixpoints of set transformers modeling iteration of events, under minimal 
progress or weak fairness assumptions. We are only interested in properties of type P leads-to 
Q, where P and Q are predicates on the state space of a system, with the informal meaning: 
“the system reaches a state satisfying Q when its execution arrives at any state in P". The 
fixpoint characterizing this property denotes the largest subset of states, containing all states 
satisfying P, where termination of iteration of events in the system, is guaranteed to terminate 
in a state satisfying Q. Soundness and completeness of rules allowing derivation of leads-to 
properties is proved by demonstrating that notions of reachability and termination are equals 
under minimal progress or weak fairness. Moreover, we give two examples of applications of 
these results: The first one is a proof of sufficient conditions for liveness properties under 
minimal progress given in j^J. The second one is an original result which gives sufficient 
conditions to derive a liveness property under minimal progress when the given property 
holds under weak fairness. 

This report is an extended version of the semantics of event systems presented in HU. 
In particular all proofs of that paper are given here in an explicit way, and a new section, 
considering the semantics with the strongest invariant, is presented. Paper m presents com¬ 
parisons with other works dealing with fairness properties. This part is not given here. The 
report is structured as follows. In Section (21 we present a system as a set transformer and we 
give syntax and semantics of common set transformers used to model events, or actions, in 
the system. Moreover we give a brief review of liveness properties in unity logic to specify 
properties of an event system. In Section |S1 we develop our semantics of event systems and we 
prove equality (soundness and completeness) between notions of termination and reachability. 
In Section m we give examples of sufficient conditions to derive liveness properties using the 
results of the previous section. Finally we give our conclusions and future work in Section O 
Annex A presents the proof of the leads-to properties as a relation between predicates or sets. 
Annex B shows the extension of the semantics to consider the strongest invariant. Annexes 
C, D and E present the proofs of sections 3 and 4. 
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2 Set Transformers and UNITY Logic in Event Systems 

In this section we introduce the main considerations about event systems and the specification 
of liveness properties in unity logic. This section is divided in two parts. The first part presents 
an event system as a set transformer and introduces the notion of liberal set transformer, as 
well as the dovetail operator that is used to model a weak fairness assumption. In the second 
part we recall the main ideas in the specification and proof of liveness properties under two 
fairness assumptions in UNiTY-like logic. 


2.1 Set Transformers 

A set transformer is a total function of type ^{U) —> P(ZY) for a certain set lA. An event system 
is made out of a family of events. Any event may be executed in any state where its guard, 
boolean condition on the state, holds. When the guard of an event holds, we say that the event 
is enabled. As in event-B systems, we considered a system with state variable x and invariant 
I. The state space u of the system is the set of states where I holds: u = {z\I{z)}. Therefore 
events in the system are modeled by conjunctive set transformers Ei of type P(tt) ^ ^{u), 
where i belongs to certain finite index set L. Consequently, the system is modeled by a 
conjunctive set transformer S which is the bounded choice of events Eu S 
denote by S the set of events in 5: 5 = {Ei \ i G L}. 

For any set transformer T of type ¥{u) —> ¥{u) and subset r of u, T{r) denotes the 
largest subset of states where execution of T must begin in order for T to terminate in a 
state belonging to r pQ. Primitive set transformers considered in this paper are similar to 
the primitive generalized substitutions in B: skip, bounded choice, sequence, guarded and 
conditioned set transformer. Following the work reported in [HI, for any set transformer T, 
and subset r of u, we denote by C{T){r) the liberal set transformer of T, which denotes the 
largest subset of states where the execution of S must begin in order for T to terminate in 
a state belonging to r or loop. Common set transformers and liberal set transformers are 
defined as follows:^ 


{C){sHp){r) = r {C){E ; G)(r) = {C){E){{C){G){r)) 

iC)iE I G)(r) = (£)(F)(r) n (£)(G)(r) iC){p F)(r) = p U (/:)(F)(r) 


In the guarded event, p denotes u — p. For the preconditioned event we have: 


(p I F){r) = 
C{p I F){r) 


p n F{r) 

_ f p n C{F){r) if r ^ u 
\ C{F){r) if r = u 


Definitions of liberal set transformers presented here are the set counterpart of definitions in 
jSj. The set transformers F{r) and C{F){r) for event F and postcondition r are related by 
the pairing condition: 


F{r) = /:(F)(r)npre(F) 

where pre(F), the termination set of F, is equal to F[u). From the pairing condition, we 
conclude: 


F{u) = u ^ F{r) = C{F){r) 

^ For any set transformer T, (T)(T)(r) denotes definition for the set T(r) or the set C{T){r). 
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We say that a set transformer F is strict when it respects the excluded miracle law: 

F{0) = 0 

For any set transformer F, when F{r) or C{F){r) are recursively defined: 

F{r) = F{F{r)) or C{F){r) = g{C{F){r)) 

for monotonic functions F and Q, according to [7] we take F{r) as the strongest solution of 
the equation X = F{X) and C{F){r) as the weakest solution of the equation X = Q{X). As 
these solutions are fixpoints, we take F{r) as the least fixpoint of F (fix(^)) and C{F){r) as 
the greatest fixpoint of Q (FIX(C/)). 

The Dovetail Operator To model a weak fairness assumption, we use the dovetail operator 

V which is a fair nondeterministic choice operator. The dovetail operator is used to model 
the notion of fair scheduling of two activities. Let A and B be these activities, then the 
operational meaning of the construct A V B denotes the execution of commands A and 
B fairly in parallel, on separate copies of the state, accepting as an outcome any proper, 
nonlooping, outcome of either A or B. The fair execution of A and B means that neither 
computation is permanently neglected if favor of the other. 

The semantic definition for dovetail operator in [1] is given by definition of its weakest 
liberal precondition predicate transformer {wlp) and its termination predicate hit. We give an 
equivalent definition using the weakest liberal set transformer L and its termination set pre: 

L(F ^ G){r)= L(F){r)r\L{G)(r) (1) 

pre(T V G) = {F[u) U G{u)) n (F{^ U G(u)) n U F{u)) (2) 

We remember that grd(T) = F{0). From these definitions, in ^2] we prove the guard property 
of the dovetail: grd(A S/ B) = grd(A) U grd(S). 

A motivating example of the use of the dovetail operator is given in |^. In that example 
the recursive definition: A = (n := 0 V {X ; n := n + 1)) which has as solution “set n to any 
natural number”, is contrasted with the recursion Y = (n := 0 |] (T ; n := n + 1)) which has 
as solution “set n to any natural number or loop”. The possibility of loop in X is excluded 
with the dovetail operator because the fair choice of statement n := 0 will certainly occur. In 

Y the execution of that statement is not ensured. 

2.2 Liveness Properties in event systems 

In this section we give a brief summary of some results in the specification and proof of liveness 
properties presented in m, m and m- In these works, we propose the use of unity logic 
to specify and prove liveness properties in event-B systems. 

Liveness properties are divided in two groups: basic and general liveness properties. Each 
one of these properties are specified by relations on the state of the system. In order to specify 
and prove these properties we consider a minimal progress or a weak fairness assumption. 

Basic Properties under Weak Fairness A weak fairness assumption states that any 
continuously enabled event is infinitely often executed. For any event G in the set S, we write 
G • P Q (pronounce “by event G, P ensures Q”) to specify that by the execution of 
event G in a state satisfying P the system goes to another state satisfying Q, under a weak 
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fairness assumption. In m we propose sufficient conditions WFO and WFl, to guarantee the 
intended meaning of these properties. These conditions were stated in terms of predicates, 
but we present them as set expression: 

pDq C S{p U g) n grd(G) fl G{q) ^ G ■ x & p x G g (3) 

where x is the state variable of 5, p = {z\z G u A P} and q = {z\z G u A Q} for certain 
predicates P and Q. 

Basic Properties under Minimal Progress In a minimal progress assumption, if two 
or more statements are enabled in a given state, the selection of the statement enabled for 
execution is non-deterministic. We write P ':^rn Q (pronounce “P ensures Q”) to specify that 
execution of any event of S, in a state satisfying P, terminates into a state establishing Q. 
In |13j we give sufficient conditions MPO and MPl to prove basic properties under minimal 
progress. We present them as a set expression as follows, for sets p and q defined as above: 

pHq C S{q) n grd(S') x G p '>rn x G q (4) 

General Properties General liveness properties are specified by the leads-to operator 
Depending on the fairness assumption considered, we have general liveness properties under 
minimal progress or weak fairness assumptions. However, the leads-to relation is defined in 
the same way as the closure relation, containing the base relation and it is both transitive and 
disjunctive. A property P Q holds in an event system, if it is derived by a finite number 
of applications of the rules defined by the unity theory: 



ANTECEDENT 

CONSEQUENT 

BRL 

TRA 

DSJ 

p»g 

P P, R Q 

Vi • (i G / => P(i) Q) 

P^Q 

P^Q 

3i • (i G / A P(i)) Q 


P » (5, in the BRL rule stands for the basic liveness property G ■ P Q for some G in 5 
in case where we consider a property under a weak fairness assumption or P Q, in the 
case where we consider a minimal progress assumption. In the disjunction rule DSJ, I is any 
index set. 

3 Reachability and Termination 

In this section, we prove soundness and (relative) completeness of rules BRL, TRA and DSJ 
for general liveness properties under minimal progress and weak fairness assumptions in event 
systems. These rules are sound if for any property P Q, iteration of events, under minimal 
progress or weak fairness assumptions, starting in a state satisfying P, leads to a state in 
the system where Q holds. Completeness of these rules is proved by showing that P Q 
can be derived from the fact that any iteration of events, starting in a state where P holds, 
terminates into a state satisfying Q. 

We do not expect that any iteration of events in a system terminates into a state where 
the guards of every event are disabled. However we can model an iteration of events which 
always terminates in a certain state by supposing, just for the reasoning, that the events 
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in the system are embedded in a certain guarded event which models the iteration under a 
fairness assumption. The iteration only proceeds when the guard of that event is enabled. 
Termination of the iteration will be in a state where the guard does not hold. In this way, if 
the guard of the iteration is ^Q, and the iteration starts in a state where P holds, the system 
reaches a state where Q holds. Reachability from P to Q is then associated to termination 
of the iteration of events. In the following subsection, we formalize our claims in a general 
framework without concerns of fairness, and then we particularize these results to minimal 
progress or weak fairness assumptions in other two subsections. 

To simplify matters, the strongest invariant m is not considered in definitions of this 
section. Therefore, instead of implications in proof obligations m and used to prove 
basic liveness properties under weak fairness or minimal progress assumption respectively, we 
consider them as definitions. In anueylRlwe restate the results given in this section to consider 
the strongest invariant and we consider again, proof obligations m and 0 as implications, 
as they are stated. 

3.1 A General Framework 

In this subsection we define a set transformer to model iteration of events and we state its 
main characteristics. We use this set transformer to define the termination relation. Then we 
give a representation of leads to relation in unity logic as a relation between subsets of u 
and we use it to define the reachability relation. Finally we prove that the termination and 
the reachability relations are equal. 

3.1.1 Termination We consider a set transformer W which models a step of the iteration 
of events in a system S. At this time we cannot define the meaning of such a step, however 
we need two properties oi W: it must be monotonic and strict. When we particularize the 
iteration under a fairness assumption, the meaning of W will be given in terms of S. For any 
r in P(u), W{r) denotes the largest subset of states where the execution of W must begin in 
order for W to terminate in a state belonging to r. 

To model the iteration of events until the system reaches a state in a certain set r in P(n), 
we define a guarded event P(r): 

jr(r) = {r^W) (5) 

for any r G P(u), which allows iteration of W when the system stays in any state in r. Iteration 
of J-{r) is modeled by the ^ operator P(r)^. As this operator has a recursive definition: 

T'{r)'~' = {^{r) ; T{r)^) |] skip 

the set where termination of P(r)^ is guaranteed (pre(P(r)^)) is given by fix(J^(r)) 

As W may model an unbounded non determinist set transformer, we use the Generalized 
Limit Theorem to formally justify that any iteration of iF{r) starting in pre(.P'(r)^) terminates 
in some state of r. This theorem characterizes the least fixpoint of monotonic functions as an 
infinite join. We use the version presented in jHj, particularizing the theorem to monotonic 
set transformers. The theorem is as follows: 

Theorem 1. (Generalized Limit Theorem) 

Let f be a monotonic set transformer, and let /“, for ordinal a, be defined inductively by 

r = \Jf3-{P<a\f{f)) ( 6 ) 

Then fix{f) = /" for some ordinal a. 
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The proof of this theorem is given in [Hj. It states that we can choose any ordinal 7 , such that 
7 > card(dom(/)), and then we must have /“ = for some a < /? < 7 . Then it is proved 
that the common value of /" and is the least fixpoint of /. 

As VT is a monotonic function, J-{r) Q is monotonic, and theorem ^ can be applied to 
calculate the least fixpoint of ^(r). According to the theorem, we conclude that = 0 

and J-{rY = t because W is strict. Moreover, for any ordinal a, and 

This fact formally supports our claim that the termination set of , 

contains states where any iteration of J^{r) terminates in a state into r. Now, we can define 
the termination relation T as follows: 

Definition 1. (Termination Relation) 

T = {ai—>6|aCttA6CnAaC fix{T{b)) } (7) 


3.1.2 Reachability As presented in section 1221 leads-to relation of unity logic is defined 
as a relation between predicates on the state of programs. In this section we define a similar 
relation, L, but instead of predicates, we define it as a relation between subsets of states in u 
(L C P(u) X P(u)). Any pair a 1 —> 6 in L indicates that the system reaches a state in b, when 
its execution arrives at any state in a. For this reason we name L as the reaehability relation. 

Definition of L is given by induction. The base case needs definition of the basic relation 
S. At this time S cannot be defined. As indicated in section 1221 basic liveness properties 
depend on fairness assumptions. S will be defined in the following sections according to 
minimal progress or weak fairness assumptions. However, these definitions must satisfy two 
requirements. The first requirement is as follows: If a C 5, for any a and b in P(tt), then 
a b & S must hold. The second requirement relates 6 with the set transformer W: For any 
ordered pair a b & £, the inclusion a n 6 C W(b) must hold. This inclusion indicates that 
any execution of W starting in a fl 6 , terminates into a state of b. 

Definition 2. (Reachability Relation) 

The reachability relation L, L G P(u) <-> P(u), is defined by the following induction scheme: 

(SBR).- £TL 
(STR).- L-, LTL 

(SDR).- V(g, l)-iqG P(u) A I C F{u) ^ {I x {q} C L ^ U(0 ^ q € L)) 

Closnre.- \/l' ■ (^l' g u ^ u A £ C I' A I' •, I' C I' A 

'^{q^ 1 ) ' {q ^ ^(1^) I ^ ^(1^) ^ ^ X {9} T I' ^ U(/) ^ q G V) ^ L T I') 

|J(/) in the SDR rule and the closure clause, denotes the generalized union of subsets in 
1. Rules SBR, STR and SDR are the set counterpart of the basic rule for leads-to BRL, 
transitivity rule TRA and disjunction rule DSJ respectively, as defined in section 12.21 

In order to connect L with the leads-to relation of unity logic, we have the following 
equivalence: 

P{x) Q{x) = {z\z G u A P{z) } ^ {z\z G u A Q{z) } € L ( 8 ) 

We note that property P Q m. unity is equivalent to P Al Q Al, considering I as 
an invariant of S, because the leads-to relation is defined in states reachable from the initial 
conditions m- The proof of this equivalence is given in annex El 
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3.1.3 Soundness and Completeness We are now ready to state our main theorem, 
formally indicating that termination and reachability relations are equal: 

Theorem 2. (Soundness and Completeness) 

Let W he a monotonic and strict set transformer and J-{r) = (r W) for any r in 
P(u). Let relations T and L he defined as definitions^ and\^ respectively. Considering (a) 
a ^ h ^ ^ aCh fLW{h), (h)a^b^a^h^£ and (c) W{r) r € L, for any a, b and 

r in P(tt), the following equality holds: 

L = T 


Premise (a) and (b) were commented in the previous section. Premise (c) asserts that any 
set r is reached from the set W{r) which is the largest subset of states where a step of the 
iteration terminates in r. 

The proof of this theorem is given in two parts: first we prove the inclusion L C T and 
then T C L. 


Proof of L C. T The proof of this inclusion follows from the closure clause in definition [2 
particularizing the quantified variable I' to relation T. Then L C T follows from T C T, 
T; T C T and I x {g} C T ^ |J(/) ^ q for any I in P(P(u)) and q in P(m). 

The proof of f C T uses the following property for monotonic function / and iteration 
defined in ®: 


Va • (/“ C fix(/)) 


(9) 


which is easily proved by transfinite induction; the proof is given in appendix O The proof 
of T C T is given by the proof ofai—> 6 gT: 


1. a I—> 6 G f 

2. anb<LW{b) 

3. a C J^ib){b) 

4. a C T{bf 

5. a C fix(jr(6)) 

6. a 1 -^ 6 G T 


; premise 
; 1 and hyp. (a) 

; 2 and def. Q 
; 3 and iterate m 
; 4 and Q 
; 5 and def. Q 


In order to prove the transitivity of T, we need the following property: 


b £ T fix(jF(a)) C fix(jr(6)) (10) 

for any a and b in P(u). Taking a i—f b £ T as a premise, and considering fix(.P'(o)) as the 
least fixpoint of iF{a), in order to prove property (tTUl) it suffices to prove .T'(a)(fix(.T'( 6 ))) C 
fix(J^( 6 )), which follows directly from a i— > 6 G T and .T'( 6 )(fix(J^( 6 ))) = fix(.T( 6 )). Now the 
proof of T ; T C T is equivalent to prove a ^ h £ P ;T ^ a ^ b £ P for any a and b in 
P(u): 


1. 3c • (a I—> c G T A c I—> 6 G T) 

2. 3c • (o C fix(.T'(c)) A ci—>- b £ P) 

3. 3c • (a C fix(.T'(c)) A fix(.T(c)) C fix(J^(5))) 

4. a C fix(jr(6)) 

5. a b £ P 


; from a h £ P]P 
; 1 and def. P 
; 2 and (ITOl) 

; 3 

; 6 and def. P 
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Finally, the proof of I x {g} C T |J(?) e-> g g T is as follows: 


1. / X {g} C T ; premise 

2. Vp • (p e Z ^ p I—> g G T) ; 1 

3. yp ■ {p e I ^ p fix(JF(gr))) ; 2 and def. T 

4. U(0 ^ fix(-^(9)) ; 3 

5. |J(/) ^ q & T ; 4 and def. T 


This last deduction concludes the proof of L C T. 


Proof ofT<PL The proof of this inclusion requires the following property: 


Mr ■ [r ^ P(rt) => iF(r)" i—> r G L) for any ordinal a 


( 11 ) 


The proof of (jlll) is done by transfinite induction. For a successor ordinal we need to prove 
!F{r)°‘ I—> r G L T{r)°‘^^ i—> r G L; this proof is given in appendix IHl For a limit ordinal we 
prove MjM ■ {j3 < a ^ JF(r)^ r G L) T{r)^ r G L: 


1. V/3 • (/3 < a JF(r)^ r G L) 

2. M(3-l(3 <a^ W{F{rf) ^ F{rf G L) 

3. V/3 • (/3 < a ^ W{T{rY) ^ r G L) 

4. r e-> r G L 

5. V/3 • (/3 < a ^ r U W{T{rf) ^ r G L) 

6. V/3 • (/3 < a J^{r){T{r)f^) r G L) 

7. {} fi ■ {(5 < a \ jr(r)(.F(r)^)) i—> r G L 

8. iF(r)" I— > r G L 


; ind. hyp. 

; from hyp. (c) 

; 2, 1 and STR 
; hyp. (b) and SBR 
; 4, 3 and SDR 
; def. P{r) and 5 
; 6 and SDR 
; 7 and def. iterate 


Using m, we prove T C L by the proof ofai—>6 gT ^ae->6GL for any a and b in P(u) 
as follows: 


1. a C fix(.F(6)) 

2. 3a • (a C ^(6)«) 

3. 3a • (a ^ G L) 

4. 3a • (o ^ .F(6)" G L A ^ 6 G L) 

5. a I— :• 6 G L 


; from a h £ T 
; 1 and theorem ^ 
; 2, (b) and SBR 
; 3 and (ITT|) 

; 4 and STR 


This deduction concludes the proof of theorem O 


3.2 Minimal Progress 

In this paragraph we define the termination and reachability relations under minimal progress 
and we prove that they satisfy the premises of theorem |2l Therefore we claim that relations 
T and L are equal in the case of minimal progress. 


3.2.1 Termination nnder MP To model a step of the iteration of events of system S 
under minimal progress assumptions, we note that if we need to establish a certain postcon¬ 
dition when this step is achieved, any event in S must be able to establish the postcondition. 
Moreover, as we are interested in the execution of any event, we need to start the execution 
step in a state satisfying the guard of at least one event. Therefore, taking into account these 
considerations, we propose the following preconditioned set transformer: 

Wm = grd(5) I 5 


( 12 ) 


From definition of preconditioned set transformer in Section 12.11 we actually have that 
Wm{r) = grd(S') n S{r). From monotonicity of S' , we derive the monotonicity of Wm and 
Wm{0) = (gi'd(S) n S(0)) = 0 which proves the strictness of W^- 

The body of the iteration of events under minimal progress is the guarded event 
dehned as follows; 

^m{r)=r^>Wm (13) 

Definition of the termination relation under minimal progress is given by all ordered pairs 
b satisfying a C pre{Trn{b)^)- 

%n = {ai—>6|aCuA6CuAaC fix(.Fm(b)) } (14) 


3.2.2 Reachability under MP The basic relation under minimal progress contains all 
ordered pairs b from which we can derive a property x € a x G b 0: 


Sm = {a>-^b\aCuAbCuAaribCS{b)ri grd(S) } 


(15) 


From definitions of Sm and Wm, the proof of premise (a) of theorem [21 follows for the case 
of minimal progress a ^ b G £m ^ a Hb C Wm{b): 


1. a I—^ b G Sm 

2. an6 C grd(5) nS(6) 

3 . an6C (grd(5) | S){b) 

4. a n 6 C Wm{b) 


premise 

1 and def. (tT^ 

2 and set transf. 

3 and def. ([T21) 


From definition of £m, the implication >&€ £m follows immediately because 

a n 6 = 0. It proves premise (b) of theorem (21 for the case of minimal progress. 

Now, we use an induction scheme to define the reachability relation under minimal progress 
Lm similar to definition |21 Therefore is the smallest relation containing the base relation 
£m and it is both, transitive and disjunctive. 

Finally we prove that the weakest precondition ITm(r), for any r G P(u) leads to r: 
Wm{r) ^r Gl^m 


1. grd(5) n S{r) n r C grd(S') n S{r) 

2. grd(S) n 5(r) ^ r G £m 

3. Wm{r) ^ r G£m 

4. Wm{r) ^ r Ghm 


; trivial 
; 1 and def. 

; 2 and (IT2l) 

; 3 and def. W 


This proves premise (c) of theorem |21 for the case of minimal progress. 

At this time, monotonicity and strictness of Wm and premises (a), (b) and (c) of theorem|21 
instantiated to the case of minimal progress have been proved. Therefore the equality between 
termination and reachability relations is stated: 


'Tn. — hr 


(16) 


3.3 Weak Fairness 

In this subsection, we define the termination and reachability relations for weak fairness 
assumptions. We prove that premises of theorem |21 instantiated to the case of weak fairness, 
are satisfied with these definitions. Therefore we claim the equality between these relations. 
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3.3.1 Termination under WF We use the dovetail operator presented in section im to 
model a fair loop for a certain event G in 5: 

Y{q){G) =q^{{S; Y{q){G)) V (grd(G) | G)) (17) 

The guard q of this loop prevents iteration of the fair choice in any state belonging to q. 
Informally, we expect that any execution of Y[G){q) in any state in q U grd(G) terminates. 
Execution of T {q){G) in gngrd(G) cannot loops forever because the dovetail operator prevents 
unlimited execution of the branch S ; Y{q){G). Moreover the set transformer grd(G) | G 
is always enabled (grd(grd(G) \ G) = u) and therefore it will be eventually executed. All 
our claims are formally justified by the calculi of termination set and the liberal weakest 
precondition of Y{q){G), for any q and r, r 7 ^ u in P(u): 

pre(y(g)(G)) =fix(gnG( 0 ) S) (18) 

j:{Y{q){G)){r) = FIX(g ^ (grd(G) n G(r) | S)) (19) 

These calculi follow from definitions of set transformers given in section I^TTI and the extreme 
solutions of the recursive equations generated. The proof of m and m is given in appendix 
IdI Moreover, in appendix^ appears the proof of the following inclusion, for any q and r in 
P(u): 

/:{Y{q){G)){r) C pre(y((z)(G)) (20) 

CT . and the pairing condition, give us the set transformer associated with the fair loop: 

F(g)(G)(r) = FIX(g ^ (grd(G) n G(r) | S)) (21) 

From this definition follows the monotonicity of Y{q){G), which is proved in aunendixiDl 
The fair loop Y(q){G) models a fair G-step in the iteration of events under weak fairness 
assumptions. We say that G is the helpful event in this G-step. A fair step in the iteration of 
events is modeled by the following set transformer: 

W^ = Xr-{rYu\ IJ G • (G G 5 I y(r)(G)(r))) ( 22 ) 

From m follows grd(y(g)(G)) = q for any G in 5 and q G P(u), therefore the strictness of 
Wu] follows. On the other hand, from monotonicity of Y{q)(G) follows the monotonicity of 
Wui- These three proofs are given in appendix I dI 

The body of the iteration of events under weak fairness is the guarded event J-w{r) defined 
as follows: 

^w{r)=r^'Ww (23) 

Definition of the termination relation under weak fairness is: 

Tw = {ai-^b\aCuAbCuAaC fix(J^^( 6 )) } (24) 

3.3.2 Reachability under WF We define the basic relation £(G) for a helpful event G, 
as the set of pairs a i--> 6 from which we can derive a property G ■ x G a x G b ®: 

£w{G) = {a ^ b\a Yu f\h G.U f\ aPtb Y S{a U 6 ) Pi G( 0 ) (P G{b) } (25) 

Now, the basic relation for weak fairness is: 

£y, = [jG-{GGS\GJG)) (26) 
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The proof of premise (a) of theorem |21 instantiated to weak fairness requires the following 
property which is proved in appendix IdI 


VG-{GeSAa^be S'^iG) ^ a C y(6)(G)(6)) (27) 

Using (|7n>- the proof ofoi— W^{b) is: 

1. VG • (G e 5 ^ (a ^ 6 G T;(G) ^ a C Y{b){G){b))) ; ^ 

2. 3G • (G G 5 A o ^ 6 G T;(G)) ^ a C W^{b) ; 1 and 

3. a^6GUG-(GG5|f;(G))^aCU4(6) ;2 

4. ai—>6G(?u,=^aC Ww{b) ; 3 and (t^ 

5. ai—>6Gi£’iu=>an6C Ww{b) ; 4 and b C Ww{b) 


From immediately follows a ^ b ^ S^{G), for any G in 5 if a C 6 holds, and from 
ll26l) follows a C b ^ a ^ b € £w This proves premise (b) of theorem |2l 

We use an induction scheme to define the reachability relation under weak fairness 
similar to definition |2l Therefore is the smallest relation containing the base relation 
and it is both, transitive and disjunctive. 

From m and (f25|) follows the property: 


V(G, r)-(GG5ArCu^ y(r)(G)(r) ^ r G ^(G)) (28) 

We use this property to prove the premise (c) of theorem [2| Ww{r) r G as follows: 

1. VG • (G G 5 ^ y(r)(G)(r) ^ r G Ti(G)) ; from ((21 

2. VG-(GG5^f;(G) Cf^) ;def. 

3. VG ■ {G G S ^ Y (r)(G)(r) i—> r G £w) ; 2 and 1 

4. VG • (G G 5 y(r)(G)(r) i—> r G L^) ; def. 

5. {y(r)(G)(r)|GG5}x{r}CL^ ;4 

6. |J({ y (r)(G)(r) |Gg5})i—> rGL^ ;5 and SDR 

7. UG-(GG5|y(r)(G)(r))e^rGL^ ;6 

8. iyu,(r) e-> r G Lu, ; 7 and def. F 


At this time termination (T^,), basic relation {£w) and reaehability (Lm) relations for weak 
fairness assumptions have been defined. Monotonicity and strictness of the set transformer 
Ww, and premises (a), (b) and (c) of theorem (21 instantiated to the case of weak fairness have 
been proved. Therefore, the equality between termination and reaehability relations under 
weak fairness is stated: 

(29) 

4 Deriving Liveness Properties 

In this section we present two examples where we show practical usefulness of equalities 
between termination and reaehability relations under minimal progress and weak fairness as¬ 
sumptions. This section is divided in three parts. In the first part we state and prove the 
Variant Theorem, which allows us to prove termination of iterations over a set transformer 
if a variant decreases. In the second part we use this theorem to prove a sufficient condition 
allowing derivation of liveness properties under minimal progress. Finally, we give another suf¬ 
ficient condition to derive a liveness property under minimal progress when a similar property 
holds in weak fairness assumptions 
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4.1 The Variant Theorem 


The variant theorem allows us to prove termination of iteration of conjunctive set transform¬ 
ers. This theorem considers a total function which maps each element of the state space to 
an element of a well founded order and a set which is invariant at each iteration of the set 
transformer. The theorem states that if any execution of the set transformer starting in a state 
in the invariant set and a certain value of the variant function, terminates in a state where 
the value of the variant is decremented, then the invariant set is contained in the termination 
set of the iteration of the set transformer. Formally, the theorem is stated as follows: 

Theorem 3. (Variant Theorem) 

Let V Gu—s-N, n = An-(nGN| { z \ z & u A V(z) = n}) and ?;' = An-(nGN|{2:|zGttA 
V{z) < n}). For any conjunctive set transformer f in P(u) ^ P(u) and p in P(u), such that 
v{n) Hp C f[v'{n)) and p C /(p) , for any n in N, the following inclusion holds: 


p C fix{f) 


The proof of this theorem uses the following equalities: 



(30) 

(31) 

(32) 




and the following property: 


(33) 

which are proved, under the assumptions of the theorem |31 in appendix IeI The proof of 
theorem 121 is as follows: 



1. Vn-(nGN=i>|J*'(*^NAi<n| v{i)) n p C fix(/)) 

2. Vn • (n G N v'{n -|- 1) Hp C fix(/)) 

3. U * ■ (* £ N I v'{i -I- 1)) n p C fix(/) 

4. U i ■ (i G N I v(i)) Hp C fix(f) 

5. n np C fix(/) 

6. p C fix(p) 


(15^ and (HI) 


from (|3n|) and 1 
2 


3 and (l3T|) 

4 and (|H^ 

5 and p C n 


4.2 A Sufficient Condition for Minimal Progress 


A system reaches a certain set from any set of starting states under minimal progress, if the 
set of depart is invariant in the system, it is contained in the guard of the system and each 
execution of the system decrements a variant. Formally, these conditions are stated as follows: 


ANTECEDENT 


CONSEQUENT 


Vn-(nGN^anbn v(n) C S{v'{n))) a 6 G Lm 
a n 6 C grd(5) fl S{a) 
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We remark from definition m, that J-mib) is a conjunctive set transformer. From this remark 
the proof of the rule is as follows: 


1. Vn • (n G N a n 6 n v{n) C S{v'{n)) n grd(S')) 

2. Vn • (n G N ^ a n v{n) C {n))) 

3. a C Tm{b){a) 

4. a C fix(:r^(6)) 

5. a I—6 G Tm 

6. a I—> 6 G Lm 


; from premises 
; 1 and (|T1^ 

; premise and m 
; 3, 2, theorem 131 
; 4 and (ITU) 

; 5, equality (IT^ 


Antecedent of this rule corresponds to sufficient conditions in [2] to prove liveness proper¬ 
ties and it is the only rule concerning the proof of liveness properties. Soundness of this rule 
is proved here in a more direct way. 

Soundness of this rule is given without reasoning over state-traces, taking advantage of 
the fixpoint semantics approach. 


4.3 From Weak Fairness to Minimal Progress 

Using the variant theorem, we prove a sufficient condition to establish that a liveness property 
under minimal progress, follows from a corresponding property proved under weak fairness 
and from the decrement of a variant: 


ANTECEDENT 

CONSEQUENT 

Vn • (n G N => 6 n v{n) C S{v'{n))) 
(X 1 —^ h G 

d 1 —^ h G ^rn 


The proof of these conditions is given by the Variant Theorem. In order to apply the theorem, 
we need to identify an invariant set under Tm{b). However, as the sets a and h cannot be 
proved as invariants, we prove that the least fixpoint of J-w{h) is invariant under tF^ib), that 
is fix(jF^(6)) C F'mib){f'\'x.{F'u,ib))). This proof requires the following lemma: 

Va • {T^br C b U (grd(5) n 5(fix(.F^(6)))) (34) 

The proof of (I34j) is done by transfinite induction; it is presented in appendixEl Using (1511) . 
the proof of sufficient conditions are as follows: 


1. MJ^Ub)) C b U (grd(5) n 5(fix(.F^(6)))) 

2. f^x{J^Ub))CJ^^{b){r^x{J^Ub))) 

3. Vn • (n G N ^ f\x{Fw{b)) IH v{n) C 6 U grd(5) S{v'{n))) 

4. Vn • (n G N ^ fix(jFy,(6)) n v{n) C Tm{b){v'{n))) 

5. fix(JUi,(6)) C Y\x{J^rn{b)) 

6. a I—> 6 G 

7. a C i\x{F'ii;{b)) 

8. a C fix(:r^(6)) 

9. a I — > b G Vyyi 


; Theorem m 1311) 

; 1 and (1T5|) 

; 2 and premise 
; 3 and (|T51) 

; 4,2 and th. |31 
; premise, eq. (HH) 

; 6 and def. 7^, 

; 7 and 5 

; 8, def. Tm, eq. (O 
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5 Conclusions 


We have presented a fixpoint semantics of event systems under minimal progress and weak 
fairness assumptions. Then we have proved soundness and completeness of rules for deriving 
leads-to properties under weak fairness and minimal progress assumptions. Finally we have 
proved sufficient conditions to guarantee a liveness property under minimal progress in two 
cases of hypothesis: every event decrements a variant under an invariant, or every event 
decrements a variant and the property holds under weak fairness. 

The development of our semantics is structured. First a general framework is established 
without concerns of fairness, and our notions of termination and reachability are elaborated. 
Soundness and completeness of rules for leads-to are proved in this framework. The general 
framework is then instantiated to the cases of minimal progress and weak fairness assump¬ 
tions and the corresponding results are proved. Each element in our models has a concrete 
representation as a set transformer. In particular, we stress how the weak fairness assumption 
is modeled by the dovetail operator. 

We have stated a simple form of the variant theorem and given a simple proof of it. We 
remark the usefulness of this theorem in the proofs of liveness properties. Particularly we note 
the importance of conditions which guarantee the derivation of a certain liveness property 
V under minimal progress if V holds under weak fairness, and every element of the system 
decrements a variant. This is a new result which gives the possibility to implement fairness 
in a system. 

As a future work we investigate how our approach can be managed to deal with refinement 
of event systems. Another line will be to consider how to instantiate the general framework 
for strong fairness. 
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A leads-to as Relation Between Predicates or Sets 


In order to guarantee that leads-to ('^), as a relation between predicates on the system state, 
and the relation L between subsets of u are equivalent, we supposed the following equivalence: 

P{x) Q{x) = { z \ z G u A P{z) } ^ {z\z ^ u A Q{z) } G L 0 

In the following paragraphs we give the proof of this equivalence. It is founded in the fact 
that leads-to relation of unity logic, as pointed in jS], can be defined by an induction scheme, 
similar to definition!^ That is, as a relation between predicates, C Pred x Pred, where 
Pred is the set of predicates on the space of the state variable x, is the smallest relation 
satisfying rules BRL, TRA and DSJ given in section E2F: 

BRL: E 
TRA: C 

DSJ: Vm ■ {m & M ^ P{m) Q) ^ 3m • (m G M A P{m)) Q 

where E is the set of couples of predicates satisfying the ensures relation: 

E={P^Q|P>Q} (35) 

We recall that ^ relation must be instantiated to relation under minimal progress 
hypothesis or relation under weak fairness assumptions, in similar way to the instantiation 
of the basic relation £. In order to give the proof of equivalence 0, at this time we suppose 
that E and £ satisfy the following properties: 

V(P, Q) ■ {P ^ Pred A Q G Pred ^ 

P{x) ^ Q{x) = {z\z ^ u A P{z) } e->- {z \ z & u A Q(z) } G T) (36) 

'^(P) q)-{p'l^uAqCu^pi-^qG£ = x€p^x€q) (37) 

We give below the proof of these properties, instantiated to weak fairness or minimal progress 
assumptions. 

The proof of 0 is given in two parts: 

P{x) Q{x) =A- {z\z ^ u A P{z) } e->- {z \ z & u A Q(z) } G L (38) 

{ z \ z ^ u A P{z) } ^ {z\z ^ u A Q{z) } G L P{x) Q{x) (39) 

Proof of l|38jl 

Let V be the following set: 

V = {P ^ Q\{P Q) A {z\z ^ u A P{z) }i— >{z|zGnA Q{z) } G L } 

From this definition follows V C Inclusion C R is proved below by structural induction. 
From these inclusions, follows the equality P = Finally, from this equality follows 

'P = 

= { P = r\ {P Q\{z\z € U A P{z)} {z\z G U A Q{z)} GL} } 

<G {P Q\{z\z G u A P{z) } {z\z G u A Q(z) } G L } 

V(P, Q)-{P'^Q^{z\zGuA P{z) } >-^ {z\z G u a Q{z) } G L) 

□ 

In order to proof C P, the following proofs are required: 

^ The infix notation P Q is used to state that P Q € for any predicate P and Q in Pred. 
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- E cr. 

- cv. 

- Vi • (i G I ^ P{i) ^ Q eV) ^3i-{i e I A P(z)) ^QeV 


Proof of Base Case 


1. P^Q^{z\z€uA P(z) }i—^{z\z€uA Q{z) } G f 

2. P^Q^{z\z^uA P{z) }>-^{z\z^uA Q(z) } G L 
2>. P^Q^P'^Q 
A.P^QeE^P^Q^V 

5.EPV 


Proof of Transitivity 

It follows from Pi—>Q gPA(5i—> iiGP=^Pi—>i?GP: 

1. Pi-^QgPAQi-^tGP 

2. P R 

2>. {z \ z £ u A P{z) }i—I’lzI^GuA R{z) } G L 
4:. P R e V 


; from (|36|) 

; 1 and def. HI 
; BRA 
; 3, 2 and 
;4 

□ 


; premise 
; 1, def. P, TRA 
; 1, def. P, STR 
; 3, 2 and def. P 


□ 

Proof of Disjunction 

1. Vi • (i G / ^ P(i) ^ Q G P) 

2. 3i • (i G / A P(i)) Q 

3. \/i-{iGl^{z\z€uA P{i){z) }i-^{ 2 ;|zGtiA Q{z) } G L) 

4. {{z\z ^ u A P{i){z) }|iG/}x{z| 2 ;GuA Q{z) } P L 
5- U({ {z\z ^ u A P{i){z) }|iG/})i—|•{z|zG^tA Q{z) } G L 

6 . {2 ;|zGttA3i-(iG/A P(i)( 2 ;)) } ^ {z\z ^ u A Q{z) } G L 

7. 3i ■ (i G / A P(i)) ^ g G P 

□ 


; premise 
; 1, def. P, DSJ 
; 1, def. P 
; 3 

; 4, SDJ 
; 5 

; 6, 2 and def. P 


Proof of l|39jl 

This proof is similar to the proof of (1381) . Let Q be the following set: 

Q = {pt-^q\pt-^q£l_,Ax€p"~^x€q} 

From this definition follows Q PL. Inclusion L C Q is proved below by structural induction. 
From these inclusions follows equality Q = L. Now, from this equality follows inclusion L C 
{pi—i-glpi—>gGLAxGp'^xGg}: 

Q = L 

= {g = Ln{pi—I’glpCnAg'CnAxGp'^xGq'}} 

LCjpi-^g'IpCuAgCuAxGp'^xGg} 

Finally, from this inclusion, and taking {z\z € u A P{z) } ^ {z\z ^ u A Q{z) } G L as a 
premise, the conclusion P Q oi (1391) follows. 

□ 

In order to prove L C Q the following proofs are required; 

- £PQ. 
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- Q^cq. 

- l X {q} C U(0 9 G Q 


Proof of Base Case 

1. pi-^gG<5=^xGp^xG(7 

2 . pi—>ge£^=^xGp^xGg 

3. pi—>gef=>pi—>geL 

4. pi-^qG£^pi-^qGQ 

5. £CQ 

Proof of Transitivity 

1. pi—>geQAgi—>rGQ 

2. pi—>geLAgi-^reL 

3. {x G p X £ q) A {x £ q X G r) 

4. p\—fr£LAx£p'^x£r 

5. p I—> r £ Q 

Proof of Disjunction 

l.lx{q}<£Q 

2. lx {q} CL 

3. |J (0 I—*• <? G L 

4. I X {g} C{ai—>6|aCtiA6CnAx 

5. ys-{s£l^x£s'^x£q) 

6. 3s ■ {s £ I A X £ s) X £ q 

7. x £ |J (0 X £ q 

8 . IJ (0 G Q 


; from (TTTI) 

; 1 and BRL 
; SBR 

; 3, 2, def. Q 
;4 

□ 


; premise 
; 1, def Q 
; 1, def Q 
; 2, 3, TRA,STR 
; 4, def. Q 

□ 


; premise 
; 1, def. Q 
; 2, SDR 

a X £ b} ; 1, def. Q 

; I C F{u), 4 
; 5, DSJ 
; 6 

; 7, 3, def. Q 


□ 


A.l Instantiation of ensures to Minimal Progress 

In this section, properties ((Sni) and are proved when the ensures relation is instantiated 
to a minimal progress assumption. 

Definition of ensures relation under minimal progress assumptions (S>m); without consid¬ 
ering the strongest invariant, is given by the following definition: 

V(P, Q) ■ {P £ Pred A Q G Pred P{x) Q{x) = 

Vx • (/(x) A P{x) A -'Q{x) grd{sub{S)) A [sub(5)] Q(x))) 

where sub(5) denotes the generalized substitution associated with set transformer S, and for 
any generalized substitution T, the predicate grdiT) is equivalent to -■[T] false. 
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Proof of (|36|) 


P{x) »m Q{x) 


{ def. } 


Vx • (/(x) A P{x) A -^Q{x) 5rd(sub(5)) A [sub(5)] Q{x)) 

{ set theory } 

Vx • (x G {z\I{z) A P{z)} n {z\I{z) A -'(^(x)} ^ I{x) A grd{5ub{S)) A 
[sub(S’)] Q(x)) 


{ /(x) [sub(S')] /(x), conjunctive S' } 

Vx • (x G { z I I{z) /\P{z) }n{ z I /(z) A -'Q(x) } =^/(x) A grd(sub(5)) A [sub(5)] I{x) A (5(x)) 

{ set transformers } 

Vx'(x G { z I /(z) A P( 2 ;) }n{ z\I{z) A -'Q(x) } x G grd(S')nS'({ z\I{z) A })) 

{ set theory, u = {z\I{z)} } 

{ z I z G n A P{z) }n{z| 2 ;GnA (5(x) } C grd(S') D S{{ z | z G n A <5(2;) }) 

{ def. 6m } 


{z \ z € u A P{z) } ^ {z\z ^ u A Q{x) } G Sm 


Proof of (|37|i 


□ 


qeSm 

pnqC S{q) r\grd{S) 


{ def. 6m } 


Vx-(xGpng^xG S{q) n grd(5)) 

Vx • (/(x) A X G p A -ix G X G S{q) n grd(S')) 

Vx • (/(x) A X G p A -ix G g [sub(S')] x € q A grd{S)) 
X G p X e q 


{ X e p ^ I{x) } 

{ set transformers } 

{ def. } 

□ 


A.2 Instantiation of ensures to Weak Fairness 

In this section, properties and are proved when the ensures relation (i:^) is instan¬ 
tiated to a weak fairness assumption relation (^lu). The instantiation under this condition is 
given by the following equivalence: 

P{x) > Q{x) = 3G • (G G 5 A G • P{x) Q{x)) 

Definition of ensures relation under weak fairness assumptions {'^m), without considering 
the strongest invariant, is given by the following definition: 

V(P, Q) ■ {P ^ Pred A Q G Pred ^ G • P{x) Q{x) = 

Vx • (/(x) A P{x) A ^Q{x) ([sub(S')] (P(x) V Q{x))) A grd{sub{G)) A [sub(G)] Q{x))) 

where sub(5) and sub(G) denote the generalized substitutions associated with set transformers 
S and G. 
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(40) 

(41) 


The proof follows from the following equivalences which are proved below: 

G ■ P{x) Q{x) = {z\z & u A P{z) } >-^ {z\z ^ u A Q{x) } G ^(G) 
p !—>■ q ^ £(G) = G ■ X & p X € q 

Proof of (|36|1 

Implication from left to right follows from MOB 

G ■ P{x) Qix) = {z\z u A P{z) } >-^ {z\z £ u A Q{x) } £ ^{G) 

=A { S^ = \JG-{G£S\£{G)) } 

G ■ P{x) Q{x) {z\z £ u A P{z) } >-^ {z\z £ u A Q{x) } £ 

=A 

3G ■ {G £ S A G ■ P{x) Q(x)) { z \ z £ u A P{z) } ^ {z\z £ u A Q{x) } £ £w 

Implication from right to left follows from (I40j) 


G ■ P{x) Q{x) = {z \ z £ u A P{z) }^{z\z£uA Q{x) } £ E{G) 

{z \ z £ u A P{z)} ^ {z\z £ u A Q{x) } G E{G) 3G ■ {G £ S A G ■ P{x) 
Q(x)) 

3G-{G £S A{z\z £u A P{z)} ^ {z\z £u A Q{x) } £ 8(G)) ^ 3G • (G G 5 A 
G • P{x) Q{x)) 


{z\z£u A P{z) ] ^ {z\z £u A Q{x )} G IJ G • (G G 5 | 8(G)) ^ 3G • (G G 5 A 
G • P{x) Q{x)) 

{ def. 8 } 

{ z \ z £ u A P(z) }^{z\z£uA Q{x) } £ E^, ^ 3G • (G G 5 A G • P{x) ':$>ui Q{x)) 


□ 


Proof of (|37|) 

Implication from left to right follows from (141 B 
p ^ q £ 8(G) = G ■ X £ p X £ q 

=> { E^ = \JG-{G£S\E{G)) } 


p ^ q £ 8(G) 3G ■{G£SAG-x£p x £ q) 

=A 

3G ■{G£S Apt—i-q£ 8(G)) 3G ■{G£SAG-x£p X £ q) 
Implication from right to left follows from (141 B 


p q £ 8(G) = G ■ X £ p X £ q 

p q £ 8(G) 3G ■{G£SAG-x£p x £ q) 

=A 

3G ■ {p t—>- q £ 8(G)) 3G ■{G£SAG-x£p x £ q) 

=A 

p q £ Ew ^ 3G ■{G£SAG-x£p x £ q) 

□ 
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Proof of (|4()|) 


G ■ P{x) Q{x) 


{ def. } 

Vx • {I{x) A P{x) A ->Q(x) => ([sub(S')] (P(x) V Q(x)}) A gr(i(sub(G)) A 
[sub(G)]Q(x)) 

{ set theory } 

Vx ■ (x € {z\I{z) A P{z)} r\ {z\I{z) A -^Q{x)} ([sub(S')] (P(x) V Q(x))) A 

grd(sub(G)) A [sub(G)] Q(x)) 

{ I(x) [sub(5)]/(x), conjunctive S and G } 
Vx ■ (x € { z I I(z) A P(z) } D{z\I{z) a -^Q{x) } ([sub(5)] (/(x) A P{x) V /(x) A 

(5(x))) A grd{suh{G)) A [sub(G)]/(x) A Q{x)) 

{ set transformers } 

Vx • (x G {z\I{z) A P{z) } n { z I /(z) A -^Q{x) } X G Sd z\z ^ u A P{z) } U 
{ z \ z € u A Q{x) }) A X G grd(G) A x G G({ z\z ^ u A Q{x) })) 

{ set theory, u = {z\I{z)} } 

{ z I z G u A P{z) }n{z|zGwA Q{x) } C S'd z\z ^ u A P{z) } U {z\z G u A 
Q{x) }) n grd(G) n G({ z\z A Q{x) }) 


{z \ z € u A P{z) }^{z\z^uA Q{x) } G £(G) 


{ def. £(G) } 


Proof of ij41 ji 


□ 


p q e £(G) 

pHq <Z S{p U g) n grd(G) n G{q) 


{ def. } 


'dx ■ {x € p n q ^ x £ S{p U q) Cl grd(G) PI G{q)) 


{ X £ p ^ I{x) } 


Mx ■ {I{x) A x £ p A ^x £ q ^ X £ S{p U g) fl grd(G) fl G{q)) 

{ set transformers } 

\/x ■ {I{x) A X £ p A ^x £ q ^ ([sub(S')] (x G p V x G g)) A grd{G) A [sub(G)] x £ q) 

{ def. } 


G ■ X £ p x £ q 


□ 
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B Extension of Semantics to Consider the Strongest Invariant 

In this annex, the strongest invariant is considered in definitions of termination and reach¬ 
ability relations. It allows us to preserve soundness of unity logic. Certain definitions and 
proofs are independent of the strongest invariant and they remain unchanged. New definitions 
and proofs are only considered in this annex. It is structured in four parts. In section IB. II 
the strongest invariant is presented. In section ESI the general theorem about soundness and 
completeness is restated and proved. In section lB.4l termination and basic relation for leads-to 
are redefined to consider a minimal progress assumption, and the hypothesis of the theorem 
of soundness and completeness are proved. In section IB. 51 an similar treatment is considered 
to the case of a weak fairness assumption. 

B.l Strongest Invariant 

Original definitions of the fundamental relations unless and ensures in unity logic , do not 
consider initial conditions. On another hand, in order to give the possibility to prove valid 
properties (completeness), in the Substitution Axiom is proposed. Basically, this axiom 
states that any invariant predicate may be replaced by true and vice versa. 

Original definitions of the fundamental relations in [^, along with the substitution axiom, 
give an unsound proof system as it is reported in m- To fix this problem, the relation unless 
and ensures are redefined to consider initial conditions. The new definitions in m consider 
the strongest invariant, which holds in the reachable states. Moreover, the substitution axiom 
is replaced by a substitution rule, which becomes a theorem in the new logic. However, in 
cni, a problem with the new rule is reported and another substitution rule is proposed. In 
this report we are not concerned by this last issue. 

Following the proposal in m, and adapting the definition to our framework, the strongest 
invariant is defined as follows: 

Definition 3. Strongest Invariant 

Let SS be a B event system with state variable x, initialization U and choice of events 
S. The strongest invariant SI of SS is the strongest predicate X satisfying: 

Vx • {{X [5] X) A (([x' := x] prd{U)) X)) 

where prd(17) denotes the before-after relation associated with the initilization U Using the 
strongest invariant, the definition of the ensures relation, to specify basic liveness properties, 
under our two fairness assumptions is as follows: 

Definition 4. Ensures under Minimal Progress 

Let SS be a B event system with state variable x, initialization U and choice of events S. 
For any predicate P and Q over x, the basic liveness relation is defined as follows: 

P:^^Q = SI AP (([5] Q) A grd{S)) 


23 


Definition 5. Ensures under Weak Fairness 


Let SS be a B event system with state variable x, initialization U, choice of events S and 
G an event of SS. For any predicate P and Q over x, the basic liveness relation is defined 
as follows: 

G-P:$>y,Q = SI AP (([5] PVQ)A ([G] Q) A grd{S)) 

Finally si, the set counterpart of the strongest invariant, is given by the following definition 
si = {z \ SI{z)} 

B.2 General Framework 

The body of iteration in the general framework does not change: 

^(r) = {r^W) © 

The termination relation is redefined to consider the strongest invariant as follows: 
Definition 6. (Termination Relation) 

T = {ai—>6|aCuA6CuAsinaC fix{P{si n 6)) } (42) 

The reachability relation is not modified directly: 

Definition 7. (Reachability Relation) 

The reachability relation L, L G P(u) <-;• P(u), is defined by the following induction scheme: 
(SBR); £FL 
(STR); £ C £ 

(SDR); V(g, l)-{qG P(u) A I C F{u) ^ {I x {q} C L ^ U(0 ^ q € L)) 

Closnre; Ml' ■ {V G u ^ u A £ ^ V A V V T V A 

'^{Q: 1) ' {q ^ ^ ^ ^ ^ X {q} F I' ^ |J(/) ^ q G V) ^ L F I') 

However, when L is instantiated to minimal or weak fairness assumptions, the strongest 
invariant is considered in the definition of the base relation. 

The theorem of soundness and completeness, taking into account new definitions of T and 
L remains basically unchanged. Only hypothesis concerning the strongest invariant and the 
basic relation, are modified with respect to the precedent version. 

Theorem 4. (Soundness and Completeness) 

Let W be a monotonic and strict set transformer and F{r) = (r W) for any r in 
P(u). Let relations T and L be defined as definitions and respectively. Considering (a) 
a b G £ ^ si f] a nb C W {si D b), (b)aCb^a>-^bG£, (c) si riaGlb^a>-^bG£ and 
(d) W{r) r G L, for any a, b and r in P(n), the following equality holds: 

L = T 


The proof is given in the following section. 

In appendix El tke equivalence between the reachability relation L and the definition of 
the leads-to relation is proved. That proof does not consider the strongest invariant in the 
given definitions. In order to connect the definition of the reachability relation, considering 
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the strongest invariant, a demonstration similar to the proof of Q, can be given to prove the 
following equivalence: 

P{x) Q{x) = {z\z ^ si /\ P{z) }>-^{z\z&siA Q{z) } € L 

which relates the definition of the leads-to relation with the reachability relation considering 
the strongest invariant. 


B.3 Proof of Soundness and Completeness 

As before, the proof is divided in L C T and T C L. 

B.3.1 Proof of L C T 

The proof of L C T follows from the closure clause in definition of L. According to this 
clause, T must contain the base relation S, and it must be transitive and disjunctive. The 
following paragraphs present the proof of these cases. 


Base Case 


a^b^E^a^b^T 

1 

1. a 1 —> 6 G f 

; premise 

2. si n a n 6 C 1T(6 n si) 

; 1 and hyp. (a) 

3. si n a C 6 U 1T(6 n si) 

; 2 

4. si n a C si n 6 U 1T(6 n si) 

; 3 

5. si n a C p[si fl 6)(6 n si) 

; 4 and def. ((21) 

6. si n a C jF(si fl 6)^ 

; 5 and iterate ((HI) 

7. si n a C fix(jF(si fl b)) 

; 6 and (jHl) 

8. Qj 1 —> 6 G T 

; 7 and def. (11^ 


Transitivity 

V(a, 6) • (a I—> 6 G (T ; T) a i—> 6 G T) (44) 

The proof of (1441) requires the following property: 

V(a, 6) • (a I—> 6 G T fix(.T(si IH a)) C fix(P(si n b))) (45) 

Taking a i—> 6 G T as a premise, and considering fix(J^(sina)) as the least fixpoint of P(sina), 
(11^ follows from P(si D a)(fix(P(si n b))) C f'\x{P{si IH b)) as follows: 


1. si n a C fix(.T'(si n b)) 

2. P{si in 6)(fix(.T'(si fl b))) = fix(.T'(si H b)) 

3. lT(fix(jr(si n b))) C fix(jr(si n b)) 

4. P{si n a)(fix(jr(si n b))) C fix(jr(si n b)) 


; from a b € T 
; fixpoint definition 
; 2 and (0) 

; 3, 1 and Q 

□ 
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Proof of (|44|) 


1. 3c • (a I—>■ c G T A c I—> 6 G T) 

2. 3c • (si n a C fix(^(si H c)) A c 6 G T) 

3. 3c ■ (si n a C fix(^(si H c)) A fix(^(si (3 c 

4. si n a C fix(^(si fl b)) 

5. a b & T 


; from a ^ b £T\T 
; 3 and def. T 
C fix(^(si n b))) ; 2 and 

; 3 

; 6 and def. T 

□ 


Disjunction 

V(/,g)-(/x{g}CT^lJ(/)^gGT) 

1. / X {g} C T 

2. Vp ■ {p & I ^ p q & T) 

3. Vp • (p G i ^ si n p C fix(iF(si fl q))) 

4. {j p ■ {p & I \ si n p) fix(ir(si n q)) 

5. si r){jp ■ {p & I \ p) fix(ir(si n q)) 

6. si n |J(0 ^ fix(J3(si n q)) 

7. U(/)^gGT 


(46) 


; premise 

; 1 

; 2 and def. %n 


; 3 
;4 
; 5 

; 4 and def. %n 


□ 


B.3.2 Proof of C L 

The proof of this inclusion requires the following property which is already proved: 


Vr • (r G P(u) => iF(r)" i—> r G L 

Proof of T C L 

1. si n a C fix(J^(si fl b)) 

2. 3a • (si n o C iF{si fl 5)“) 

3. 3a • (a I—> .T'(si H 6)" G S) 

4. 3a • (a 1 -^ ir(si n 6)" G L) 

5. a I—> si n 6 G L 

6. a 1 -^ 6 G L 


m 


; from a ^ b 
; 1 and theorem 1 
; 2 and hyp. (c) 

; 3 and STR 
; 4 and (ITTl) 

; 5, sin6 6 G L, STR 


□ 


B.4 Minimal Progress 

The body of iteration under a minimal progress assumption does not change: 

^m(r) = (r ^ Wm) 
where Wm remains dehned as before: 

Wm = grd(5) I S (O 

termination relation under weak fairness assumption is defined as follows: 

Tm = {a>-^b\aCuAbCuAsinaC fix(.Tm(si H b)) } (47) 
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Basic relation <5^ for reachability relation under minimal progress assumptions is 
defined as follows: 

£m = {a b \ a C u A b C u A si n a Db C S{b) n grd(5) } (48) 

Relation hm is defined by an induction scheme, according to definition |2j 

The following proofs of hypothesis in theorem @] allow us to conclude the equality between 
reachability and termination relations under a minimal progress assumption; 

'^m — 


B.4.1 Proof of Premise (a) 

a b & Em si n a n 6 C Wm{si H b) 
a I— > b G Em 

si n a n 6 C S{b) n grd(S') 
si n a n 6 C S{si n 6) PI grd(5') 
si n a n 6 C Wm{si fl b) 


(49) 

{ 6H1) } 

{ si C S(si), conjunctive S } 

{ m } 

□ 


B.4.2 Proof of Premise (b) 

aCfe=^ai—>6 g Em 

1. a C 6 

2. si nan6 = 0 

3. si n a n 6 C grd(5) n S{b) 

4. a I —> b G Em 


B.4.3 Proof of Premise (c) 

sinaC5=^ai— ^bGc^m 

1. si n a C 6 

2. si n 6 n 6 = 0 

3. si n a n 6 C grd(5) n S{h) 

4. a I— > b G Em 


(50) 

; premise 
; 1 
; 2 

; 3 and 

□ 


(51) 

; premise 
; 1 
; 2 

; 3 and (I48j) 

□ 
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B.4.4 Proof of Premise (d) 


Wrri{r) >-^r £Lm 


( 52 ) 


1. si n grd(5) n S{r) n r C grd(5) n S{r) 

2. grd(S) n S{r) ^ r ^ Sm 

3. Wm{r) ^ r € Sm 

4. Wm{r) r Ghm 


; trivial 

; 1 and def. £m 
; 2 and (IT^ 

; 3 and def. 


□ 


B.5 Weak Fairness 


The body of iteration under weak fairness assumption does not change: 

iF'wir) = r (Uni) 

where Ww is defined as follows: 


W^ = Xr-{rCu\ U G • (G G 5 I Y{r){G){r))) ^ 

and y(r)(G)(r) is defined by: 

Y{q){G){r) = FIX(g ^ (grd(G) n G{r) \ S)) m 

termination relation under weak fairness assumption is defined as follows: 

Tu, = {ai-^6|aCr(A6CMAsinoC fix(iF^(si n b)) } (53) 

Basic relation for reachability relation under weak fairness assumption is not 
changed directly: 


= |JG-(Gg 5 I 8(G)) (Ei 

However, 6(G) is redefined to consider the strongest invariant: 

8(G) = {a ^ b\a u /\ b C u /\ si r\ ar\b Y S{a U 5) n G(0) n G(5) } (54) 

Relation is defined by an induction scheme, according to definition |2J 

The following proofs of hypothesis in theorem 0] allow us to conclude the equality between 
reachability and termination relations under a weak fairness assumption: 


%jj — L 


W 


B.5.1 Proof of Premise (a) 

a ^ b ^ £yj ^ si ar\b Y Ww{si fl b) (55) 

The proof requires the following property: 

VG -(GGiSAoi-^-bG 8(G) sz n a C y(si n b){G){si n b)) (56) 
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a 


h G £(G) 


{ (El } 


si n o n 6 C S’(a U 6) n G( 0 ) n G{h) 

{ si C S{si), conjunctive S and G } 
si n a n 6 C S{si n a U si n 5) n G{0) n G(si n b) 


si n a C si n 6 U S{si n a U si fl 6) n G{0) H G{si PI b) 


si n a U si n 6 C si n 6 U 5(si n a U si n 6) n G{0) n G{si n b) 

= { set transformers } 

si n a U si n 6 C (si n 6 grd(G) n G{si fl 6) | S')(si n a U si n b) 

=> { greatest fixpoint property } 

si n a C FIX(si n b grd(G) D G{si fl 6) | 5) 

= { (El } 


si n a C F(si n 6)(G)(si PI b) 


Proof of (|55|) 


□ 


1. VG-(G G 5 ^ (a ^ 5 G £(G) ^ siPa C y(siP5)(G)(si P6))) ; 

2. 3G ■{G€SAal—^b€ £(G)) si P a C Ww{si P b) ; 

3. ai—i’6G|JG'(GG5| £(G)) si P a C Ww{si P b) ; 

4. a I— > 6 G si P a C Ww{si P b) ; 

5. ai—>6G(£«;=^ si PoC si P6U Wu,{si P b) ; 

6. ai— >6G£’«,=^siPaP6C Ww{si P b) ; 


(EH) 

1 and (EH- 

2 

3 and (j^ 

4, si P b0W.u){si P h) 
5 


□ 


B.5.2 Proof of Premise (b) 


a0b^a\—^b£Sw (57) 

1. a C 6 ; premise 

2. siPaP6 = 0 ;1 

3. VG • (G G 5 ^ si P a P 6 C 5(o U 5) P G^ n G{b)) ; 2 

4. VG •(GGiS=)>oi—>6g £(G)) ; 3 and (IKH) 

5. a ^ 6 G UG-(G G 5 I £(G)) ;4 

6. a I—> 6 G ; 5 (I2dll 

□ 


B.5.3 Proof of Premise (c) 


siPaC6=>ai—s-^Gfu; (58) 

1. si P a C 6 ; premise 

2. siPaP6 = 0 ;1 

3. VG • (G G 5 ^ si P a P 6 C S(a U 6) P G(^ P G(6)) ; 2 

4. VG •(GGiS=)>oi—>6g £(G)) ; 3 and (l5il) 

5. a ^ 6 G UG-(G G 5 I £(G)) ;4 

6. a !—>■ b £ Sw ; 5 (I^Hl) 
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□ 


B.5.4 Proof of Premise (d) 

Vr • (r C u i—> r G L^) 

The proof requires the following property: 

V(G,r) -{GeSArCu^ Y{r){G){r) ^ r G E{G)) 

1. S{Y{r){G){r)) C S{Y{r){G)ir) U r) 

2. Y{r){G){r) = r U grd(G) n G{r) n S{Y{r){G){r)) 

3. Y{r){G){r) n r C grd(G) fl G{r) n S{Y{r){G){r) U r) 

4. si n y(r)(G)(r) n r C y(r)(G)(r) n r 

5. y(r)(G)(r) ^ r G 6(G) 


Proof of (|59|1 

1. VG • (G G 5 ^ y(r)(G)(r) ^ r G 6(G)) 

2. VG-(Gg5^6(G) CS^) 

3. VG • (G G 5 ^ y(r)(G)(r) ^ r G 6^) 

4. VG • (G G 5 ^ y(r)(G)(r) ^ r G L^) 

5. {y(r)(G)(r)|GG5}x{r}CL^ 

6. U({5^(r)(G)(r)|GG5})^rGL^ 

7. U G • (G G 5 I y(r)(G)(r)) ^ r G 

8. ly^(r) 1 -^ r G 


( 59 ) 


(60) 

; monotony of S 

; (EU) 

; 2,1 
; trivial 
; 4, 3 and 

□ 


; from (IHni) 

; def. 

; 2 and 1 
; def. 

;4 

; 5 and SDR 
; 6 

; 7 and def. F 

□ 
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C Proofs of section 13.1.31 


C.l Proof of dni): Vo • (/" C fix(/)) 

Successor ordinal: 

r c fix(/) 

fin c /(fix(/)) 

c fix(/) 

Limit ordinal: 


yp ■ i(3 < a ^ C fix(/)) 

yp-ip<a^fincfmm 

V/3-(/3<a^/(/^)Cfix(/)) 
U/3-(/3<a|/(/^))Cfix(/) 
r C fix(/) 


{ monotony } 
{ fixpoint def. } 


{ def. iterate } 


□ 


C.2 Proof of (jll|l : .^(r)“ r G L r G L 


Successor ordinal 


1. Tin r € L 

2. WiTin) ^ Tin e ^ 

3. r I— :■ r G L 

4. r U IP(.F(r)") ^ r ^ L 

6. .P(r)(.F(r)") ^ r ^ L 

7. Tin+'^ ^r€L 


; ind. hyp. 

; from hyp. (c) th. [2 
; hyp. (b) th. |2l SBR 
; 3, 2 and SDR 
; 5 and © 

; 6 and def. iterate 


□ 
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D Proofs of Section Ut.3l 


D.l 


D.2 

For r 


For r 


Termination Set of Fair Loop: pre(T(q)(G)) = fix(q n G{0) 


iS{q) I S)) 


pre(y(g)(G)) 

Y{q){G){u) 

gU((5;y(g)(G))v(grd(G)|G))(n) 


{ def. of pre } 

{ dl } 

{ m,X = {S-,Yiq){G)),Z = {grdiG)\G) } 


q U {{X{u) U Z{u)) n (X(0) u Z{u)) n {X{u) U Z{ 0 ))) 


q U ((y(n) U grd(G)) n (X(0) U grd(G))) 


gUgrd(G) U {X{u)nX{0)) 


{ G{u) = u, Z{u) = grd(G), Z{0) = } 

{ distributivity } 
{ X = {S ; Y{q){G)), set transformer } 


q U grd(G) U {SiYiq)iG)iu)) n 5(y(g)(G)(0))) 

{ def. grd(y(g)(G)), grd(G) and set transformer } 
(gnG(0)^(:^|5))(y(g)(G)(n)) 

{ extreme solution of recursive equation } 


fix(gnG(0)^(5(g) |S)) 


□ 


Liberal of Y(q){G)-. C(Y{q){G)){r) = FIX(q ^ (grd(G) H G(r) \ S)) 

C M A r / u: 

C{Y{q){G)){r) 

{ dl), Liberal set transformer of guard and dovetail } 
gUT(5;y((?))(r)nT(grd(G)|G)(r) 

{ r^u,C{grdiG)\G){r) = grd{G)nC{G){r),C{G){r)=G{r) } 
q0C{S Y{q)){r) n grd(G) H G(r) 

{ Liberal set transformer of sequencing, £(5)(r) = S{r) } 
qUS{C{Y{q)){r))ngrd{G)nG{r) 

{ Liberal set transformer of guarded and preconditioned events } 
{q grd(G) n G{r) \ 5)(/:(y(<?)(G))(r)) 

{ extreme solution of recursive equation } 

FIX(g^grd(G)nG(r) | S) 

= u we prove: 


C{X{q)iG))iu)=u 
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First, we note that equality C{X{q){G)){u) = FIX(q S) holds: 


C{Y{q){G)){u) 

{ m, Liberal set transformer of guard and dovetail } 
qUC{S;Y{q)){u)nCigrd{G)\G){u) 

= { /:(grd(G) I G){u) = u } 

qUC{S-,Y{q))iu) 

= { S{u) = u, set transformers } 

(g^5)(/:(y(g)(G))(u)) 

= { extreme solution } 

f\X{q S) 

As {q S){u) = u holds, it follows: u C FIX(g S). Therefore, C{X{q){G)){u) = u 
follows from u C FIX(q => S) and equality. □ 


D.3 Proof of dSni): C{Y{q){G)){r) C pre(l^(q)(G)) 


C{Y{q){G)){r) 

q U grd(G) n G{r) n S{C{Y{q){G)){r)) 
gUgrd(G) 

gUgrd(G) U5(g) n5(pre(y(g)(G))) 
(gnG(0) ^ {W) I S)){pre{Y{q){G))) 
pre(y(g)(G)) 


{ m and fixpoint property } 
{ set theory } 
{ set theory } 
{ set transformers } 
{ m and fixpoint property } 


□ 


D.4 Monotonicity of Fair Loop: a G b Y{q){G){a) C Y(q){G){b)) 


Let o and b be two subsets of u, F{q){a) and F{q){b) be the following set transformers: 

F{q)ia) = {q^G{a)ngrd{G)\S) 

F{q)ib) = iq^G{b)ngrd{G)\S) 
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a Cb 


{ Monotonicity of G } 


G{a) C G{b) 

> { set theory } 

Vr ■ (r C ti (g U G{a) n grd(G) n S{r)) C U G{b) fl grd(G) PI ^(r))) 

{ set transformers } 

\/r ■ {r C u ^ {q G{a) n grd(G) | S){r) C (g G{b) fl grd(G) | S){r)) 

{ def. F{q){a) and F{q){b) } 

Vr ■ (r C tt F{q){a){r) C F{q){b){r)) 

> { set theory } 

Vr • (r C n (r C F(g)(a)(r)) r C F{q){b){r)) 

> { set theory } 

{r|rCtiArC F{q){a){r) }C{r|rCuArC F{q){b){r) } 

> { set theory } 

U({ r I r C n A r C F{q){a){r) }) C |J({ r | r C u A r C F{q){b){r) }) 

> { def. FIX(/), F(g)(a) and F{q){b) } 
FIX(g ^ G(a) n grd(G) | 5) C FIX(g ^ G{b) n grd(G) | S) 

{ (HO } 

Y{q){G){a) CY{q){G){b) 

□ 


D.5 Guard of Fair Loop: grd(Y(gr)(G)) = q 

grd(y(g)(G)) 

yWGm 

gU((5;y(g)(G))v(grd(G)|G))(0) 
gn((5;y(g)(G))v(grd(G)|G))(0) 
gn (grd(5 ; y(g)(G)) U grd(grd(G) | G)) 

Q 

D.6 Strictness of Ww- Ww(0) = 0 

WU0) 

\JG-{GeS\Y{0){G){0)) 

UG-(GG5|grd(y(0)(G))) 

U G • (G G 5 11) 

0 


{ def. guard } 

{ m } 

{ set theory } 

{ def. guard dovetail } 

{ grd(grd(G) \ G) = u } 

□ 


{ m } 

{ def. of grd } 
{ grd(y( 0 )(G)) = 0 } 


□ 
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D.7 Monotonicity of W^x a G b W^ici) C W^ip) 

First we prove, for any subset a and b of u, a C b ^ Y{a){G){b) C Y{b){G){b). 
Let r(a) = FIX(a ^ (grd(G) A G{b) \ S)): 


a C b 

a U grd(G) n G{b) n S{T{a)) C b U grd(G) n G{b) n S{T{a)) 

T{a) C 6 u grd(G) n G(6) n S{T{a)) 

T{a) C{b^ grd(G) n G{b) \ S)iT{a)) 

T{a) C FIX(6 ^ grd(G) n G{b) \ S) 

Y{a){G){b) CY{b){Gm 
Now, the proof of monotonicity is: 
a Y b 


{ for any G G S } 
{ prop. FIX } 
{ guarded set transformer } 
{ prop. FIX } 

{ m } 


Y{a){G){a) <ZY{a)iG){b) 

> 

Y{a){G){a) C Y{b){G){b) 

> 

Y{a){G){a) C IJ G' ■ (G' G 5 | Y{b){G^){b)) 

> 

UG • (G G 5 I y(o)(G)(a)) C IJ G' • (G" G 5 | Y{b){G^){b)) 
WM C W^{b) 


{ monotonicity of y(q)(G) for q = a and G G S } 
{ Y{a){G){b)YY{b){G){b) } 


{ m } 


□ 
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E Proofs of section m 

E.l Proof of (|30|> : Vn • (n G N v'{n) = Ui-(iGNAi<n| r’(i))) 

The proof is by induction over N. The base case: 


^'(0) 

{z\z^u/\V{z) <0} 

0 

|J*'(*GNAi<0| t>(i)) 

Inductive step: 

v'{n) = v{i)) 

v'{n) U v{n) = ^(0) U v(n) 

v'(n + l}=Ui-(i GNAz<n + l| v(i)) 


{ def. v' } 
{ Veu^N} 
{ empty range } 


{ def. V and v' } 

□ 


E.2 Proof of dni): U ^ £ N | v'{i + 1)) = (J * • (* G N I ^(*)) 

U * • (* G N I v'{i + 1)) 

|Ji-(iGN|{2;|zGnAP(2;)<i + l}) 
|J*'(*GN|{z|zGuAF(2;)<i}) 

|Ji-(iGN| {z\z ^ u /\V{z) = i}) 

U * • (* G N I ?;(i)) 


{ def. v' } 


{ def. V } 

□ 


E.3 Proof of mi): I I 7, • (i P N I t7(i)) = U 

G (J i • (i G N I t>(i)) 

Vx-(xGti^xG|Jz-(zGN| v{i))) 

Vx • (x G tt ^ • (i G N A X G v{i))) 

Vx • (x G ti ^ ■ (z G N A P(x) = i)) 


{ set. theory } 


{ def. V } 


□ 
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E.4 Proof of (|33|> : Vn •(nGN=^|Ji-(iGNAi<n| v{i)) n p C 


The proof is by induction. Base case: 

1. Vn • (n G N v{n) Hp C f{v'{n))) 

2. u(0) np C f{v'{0)) 

3. u(o) np c /( 0 ) 

4. u(o) np c 

5. |Ji-(iGNAi<0| f (i)) n p C 

Inductive step: 

1. |Ji'(iGNAz<n| n(i)) n p C 

2- /(U* • (i G N A i < n I v{i)) np) C /(/"■'■^) 

3. Vn • (n G N ^ u(n) np C f{v'{n))) 

4. u(n + 1) n p C f{v'{n + 1)) 

5. v'{n + l) = |J^'(^VNAi<n| v{i)) 

6. P C f{p) 

7. v{n + 1) n p C f{v'{n + 1)) n /(p) 

8. v{n + 1) n p C f{v'{n + 1) n p) 

9. v{n + 1) n p C 

11. U* • V N A i < n I v{i)) Dp C 

12. U i • (i G N A i < n I v{i)) n p U v{n + 1) n p C 

13. + i I n p c 


; premise 
; 1 

; 2 and def v' 

; /( 0 ) = fm 

;4 


; Inductive hyp. 

; 1 and monotonic / 
; premise 
; 3 

; from (IHOl) 

; premise 
; 6 and 4 

; 7 and conjunct. / 

; 8, 5 and 2 
; from © 

; 10 and 1 
; 11, 9 and (jHl) 

; 12 


□ 


E.5 Proof of dSl): Vq • C b U (grd(S) n S(fix(:F^(b)))) 

The proof is given by transfinite induction considering the following abbreviations: 

(61) 
(62) 


B = i\x{TUb)) 
F = F^{h) 


Successor ordinal: 

1. Fw{b)°‘ C 6 U (grd(5) n S{B)) ; Ind. Hyp. 

2. T-^(6)(F“) = b U H7.(F“) ; m 

3. F^{b){F'^) = 6 U U G • (G G 5 I T(F)^G)(F“)) ; 2 and ((22l) 

4. .T^(6)(F“) = 6uUG-(GG5i FIX(F“ ^ grd(G) n G(F“) \S))]3 and (EU 

5. F^{b){F^) = buUG-(GG5iF“U (grd(G) n G(T“) n S{Y{F^){G){F^)))) ; 4 

6. F^{b){F^) C6uUG'-(Gg 5|F“U (grd(G) n S{Y{F^){G){F^)))) ; 5 

7. .T^(6)(F“) C6uUG'-(Gg 5|F“U (grd(G) n S{W^{F^)))) ; 6 and El 

8. F^{b){F^) CbuUG-(GG5|F“U (grd(5) n S{W^{F^)))) ; 7 grd(G) C grd(5) 

9. F^{b){F^) C bulJG- (G G 5 I F“U(grd(5)n5(.T^(6)(F")))) ; 8 and El 

10. F^{bY+^ C 6 U U (grd(5) n S{F^{bY+^)) ; 9 and ® 

11. F^{bY+^ C 6 U U (grd(5) n S{B)) ; 10 and © 

12. F^{bY+^ C 6 U (grd(5) n S{B)) ; 11 and 1 
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Limit ordinal: 


1. V/3 • (/3 < a ^ C 6 u grd(F) n S{B)) 

; Ind. Hyp 

2. F(F^) = bUW^{Ff^) 

; (ESI), P < a 

3. F(F^) = 6uUG'(Gg5| Y{Ff^){G){F^)) 

; m 

4. F(F^) = 6 U U G • (G G 5 1 FIX(^ ^ grd(G) n G{F^) \ S)) 

; 3, EO 

5. F(F^) = buUG-(GeSlF^U (grd(G) n G(F^) n S(V(F^)(G)(F^)))) ; 4 

6. F(F^) CbUF^U (grd(S) n S(F(F^))) 

; 5, (ESJ and (ESI 

7. F(F^) CbUF^U (grd(S) n S(B)) 

; 6 and (EJ 

8. F(F^) C 6u (grd(F) nF(F)) 

; 7, 1 /? < a 

9. U/3 • (^ < a 1 F(F^)) CbU (grd(S) n S(B)) 

; 8 

10. F“ C 6u (grd(F) nS(F)) 

; 9 and (jS)) 

Using H34j) ■ the proof of sufficient conditions is as follows: 


1. Vn • (n G N 6 n v(n) C S(v'(n))) 

; premise 

2. CL 1 —> b G L^ 

; premise 

3. Va' • {F^ibr' C b U (grd(5) n S(fix(F^(6))))) 

; El 

4. 3a ■ (fix(Fu,(6)) = Fu,(6)") 

; Theorem ^ 

5. fix(F^(6)) C b U (grd(5) n 5(fix(F^(6)))) 

; 4 and 3 

6.fix(F^(6)) CF^(6)(fix(F^(6))) 

; 5 and (H^ 

7. CL 1— ^ b G ^7^/; 

; 2, equality (1291) 

8. a C fix(Fu,(6)) 

; 7 and def. 

9. fix(Fiu(5)) n 6 C grd(5) 

; 5 

10. Vn • (n G N =^> 6 n fix(F„,(6)) n v{n) C grd(S) n S{v'{n))) 

; 9 and 1 

11. Vn • (n G N ^ fix(Fu,(6)) n v{n) CbU grd(5) n S{v'{n))) 

; 10 

12. Vn • (n G N fix(F^(6)) n v{n) C Fm{b){v'{n))) 

; 11 and (tmi 

13. \\x{Fw{b)) C fix(Fm(&)) 

; 12, 6 and th. |S1 

14. a C fix(Fm(6)) 

; 13 and 8 

15. n 1— > b G FfYi 

; 14 and def. 7^ 

16. a 1— s- 6 G Lm 

; 15, equality (|TH1) 


□ 
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